Egypt: State Secrets Exemption under the Data Protection Law

The State Secrets Exemption in Egypt's Data Protection Law ensures that personal data held by national security authorities or data considered sensitive for national security reasons is excluded from the general data protection framework.

Text of Relevant Provisions

DPL Art.3(5):

*"The provisions of the annexed law shall not apply to the following:

1. Personal data which is held by the national security authorities, and whatever determined by them for other considerations. Upon the request of national security authorities, the Center shall notify the controller or the processor to modify, delete, hide, make available, or circulate personal data within a specified period, according to national security considerations. The controller or processor shall comply with the notification within the specified period therein."*

Original (Arabic):

*"نصوص القانون المرفق لا تسري على:

1. البيانات الشخصية التي تحتفظ بها السلطات الأمنية الوطنية، وما تقرره لهذه البيانات لأسباب أخرى. بناءً على طلب السلطات الأمنية الوطنية، يُخطِر المركز المتحكم أو المعالج بتعديل أو حذف أو إخفاء أو إتاحة أو تداول البيانات الشخصية في مدة محددة وفقًا لمقتضيات الأمن القومي. وعلى المتحكم أو المعالج الامتثال للإخطار في المدة المحددة."*

Analysis of Provisions

• State Secrets Exemption: Article 3(5) of Egypt's Data Protection Law explicitly exempts personal data held by national security authorities or data identified as sensitive for national security purposes from the application of the law. This exemption is broad and includes any personal data determined by national security authorities to require special consideration.
• Authority and Compliance: The provision empowers national security authorities to request actions such as modifying, deleting, hiding, or circulating personal data as they see fit. Controllers or processors of such data are legally obliged to comply with these requests within the specified timeframe.
• Scope of Exemption: The exemption is significant as it not only covers data directly held by national security agencies but also extends to any data deemed sensitive by these authorities for other considerations. This allows for flexibility in protecting data critical to national security and ensures that the general data protection regulations do not interfere with security-related operations.

Implications

• For Businesses: Companies dealing with data that may be classified as sensitive by national security authorities must be prepared to comply with directives from these authorities, which could involve significant alterations to their data processing practices. This could include sudden requests for data deletion or restrictions on data access.
• Operational Considerations: Businesses should develop protocols to respond swiftly to national security-related requests to avoid legal penalties. This exemption also means that businesses processing sensitive data must be aware that their data protection obligations under the general law may be superseded by national security considerations, potentially requiring cooperation with national security agencies.